Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add BOF to collect Slack cookies from Slack or browser processes #25

Merged
merged 3 commits into from
Feb 2, 2024
Merged

Add BOF to collect Slack cookies from Slack or browser processes #25

merged 3 commits into from
Feb 2, 2024

Conversation

Tw1sm
Copy link
Contributor

@Tw1sm Tw1sm commented Nov 2, 2023

This is basically a clone of the office_tokens BOF with very minor modifications to target the Slack d cookie, which can be replayed via the browser/desktop app.

freefirex
freefirex requested changes Jan 31, 2024
View reviewed changes
Copy link
Collaborator

@freefirex freefirex left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the pull, only one item I'd like to see changed

src/Remote/slack_cookie/entry.c Outdated
if (buffer[index] == 0x78 && buffer[index + 1] == 0x6f && buffer[index + 2] == 0x78 && buffer[index + 3] == 0x64 && buffer[index + 4] == 0x2d)
{
BeaconPrintf(CALLBACK_OUTPUT, "Slack Cookie: %s", buffer + index);
index += MSVCRT$strlen((char *)(buffer + index)) - 1;
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

if you could flip this out to an strnlen using the remainder of the buffer to be examined as the size I'll happily accept this.

The LoadLibrary calls should also have a matching FreeLibrary call. Msg should call out unable to load kernel32, granted if this bof started running kernel32 should already be loaded in.

@Tw1sm
Copy link
Contributor Author

Tw1sm commented Feb 1, 2024

@freefirex Made the suggested changes (thanks again for providing) - let me know if any other edits are needed!

@freefirex freefirex merged commit 121a3fe into trustedsec:main Feb 2, 2024
@freefirex
Copy link
Collaborator

Awesome 💯 Merged!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@freefirex freefirex freefirex requested changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@Tw1sm @freefirex